This invention relates to enhancing the protection of a host computer from network disruptions, and more particularly, to a method for enhancing the protection of a server from flooding attacks via a telecommunication network.
The Internet has become an integral part of today's society, with practically innumerable number of consumers using it to search for information, get news, purchase products on-line, locate special events, pay bills, perform on-line banking, etc. The Internet is a worldwide network of server computers that are accessible through a packet-carrying telecommunications network, a standardized protocol, and an established naming space. More specifically, communication of data over the Internet takes place via a Transmission Control Protocol/Internet Protocol (TCP/IP) that was created in the early 1970's and has evolved into a transport protocol to conduct all kinds of electronic transactions. Numerous of the servers on the Internet are sites of commercial establishments, where products or services of the business establishments are offered to client computers that connect to the servers. The product-purchase or service purchase interactions between such Internet site servers and the client computers, which are typically personal computers of individuals that connect to the Internet via an Internet Service Provider, are sometimes referred to as e-commerce.
For all its versatility, the TCP/IP protocol leaves devices that are connected to the Internet vulnerable to computer-hacker denial-of-service (DoS) attacks. A DoS attack overloads the victimized server, thereby denying users access to the server and causing loss of revenue to the owner of the victimized server. A common DoS attack is a “SYN attack,” which occurs in the course of the conventional three-message handshake operation used for starting a data connection between two devices (i.e., the client and the server). In accordance with the conventional connection establishment protocol, a client wishing to connect to a server sends a “synchronize” (SYN) message to the server. The SYN message includes the IP address of the client wishing to establish a connection (in addition to other signals). In response, the server sends a “synchronize and acknowledge” (SYN/ACK) message to the client, and finally, the client sends an “acknowledge” (ACK) message to the server. After the three-message handshake is completed, the client and server switch to a data transfer/connection mode to send and receive application(s) data.
As the protocol relates to the server, a problem exists if the client sends a SYN message but fails to send the ACK message in response to the SYN/ACK message from the server. To overcome this problem, the server includes a timer that is initiated when the SYN/ACK message is sent. If an ACK message does not arrive at the server before the timer expires, the server abandons the requested connection (moving the connection to a “closed” state). A DoS condition results when a hacker client sends a large number of SYN messages to the server (floods the server) and intentionally refrains from sending the ACK messages. When that occurs, the server is continually waiting for the ACK message from each connection establishment request, becomes swamped with connection establishment requests, and basically becomes paralyzed.
The aforementioned parent application overcomes this problem by providing a system and method of predicting and protecting a server from a flooding attack. In accordance with one aspect of the disclosed solution, the arrival times of SYN messages (requesting connections) are maintained. The difference in arrival times between adjacent SYN message arrival times from the same device are calculated and compared to a threshold. If the compared arrival times are within the threshold, the second connection is refused (ignored). The threshold value is selected based on a probability distribution function—established after extensive study of the arrival times of previous connection establishment requests received at the server.
This solution is very good, but it still is open to attack from a hacker who is able to mask the true IP address of the client that is requesting connection establishment through its SYN messages. By sending a flood of SYN messages with different originating (bogus) IP addresses, the server can still be brought down.